How to prevent email attachments being sent outside the organization

A common feature request AirWatch receives is the ability for the Secure Email Gateway to prevent users from sending email attachments to recipients outside of their organization.

AirWatch has decided not to implement this feature using the AirWatch SEG for the following reasons:

Implementing such a feature on the SEG for ActiveSync traffic does not completely solve the problem as a user can forward emails and attachments to personal or third-party accounts through Outlook. Implementing this feature through the SEG would only block email attachment forwarding from mobile devices, not desktops or webmail applications.

Setup and Configuration of such a feature via AirWatch Email Policies will add unnecessary complexity considering that the root cause of this problem is not solved.

This article will discuss some steps an administrator can take in order to enforce email and attachment security using Exchange properties in conjunction with SEG features.

Using Exchange Transport Rules to Prevent Attachments from being Leaked

In Exchange 2007 or newer, administrators can configure transport rules in order to control the flow of email traffic. Exchange allows the administrator to secure confidential messages and attachments while ensuring information is not leaked by mail users (knowingly or unknowingly) to recipients outside the organization. Because these rules are applicable on an Exchange-wide level, they provide the maximum level of security.

Transport rules in Exchange offer the ability to inspect an email and take actions based on a set of rules as configured by the administrator. Once a Transport rule is configured and enabled, it will ensure that each email is inspected, the configured rules are evaluated, and corresponding actions are taken.

In this article, we will specifically address email attachment security.

On the Exchange server, open Exchange Management Console (or Exchange Administration Center if using Exchange 2013). Navigate to Organization Configuration > Hub Transport and click on New Transport Rule on the right panel.

In this example we have configured Exchange to apply the rule to all messages that are sent to users Outside the organization when the size of any attachment is greater than or equal to 0KB. This is important to note, because Exchange allows you to block based on attachment size or attachment file name text pattern. You can optionally consider some of the other conditions that are available.

Next, choose what actions need to be taken to any email that matches the above mentioned rule. Pertinent options are BCC'ing an admin and silently dropping the message as highlighted below.

Additionally you can configure exceptions to these rules (for example, exempting the CEO from these rules) by adding their mailbox to the list of exempted people. Create and activate this rule by completing the wizard.

Going forward, this Transport Rule will be applied to all outbound communications on exchange servers, be they from a mobile device or a computer and will aid in ensuring attachment security within your organization.